Shostack + Friends Blog Archive


Meet The New Browser Security, Same as the Old Browser Security?

toolbar.jpgThere’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which starts from the wrong place:

Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.

I think that defining the issue as stronger identity standards is likely to worsen the problems of phishing and pharming. A higher bar to jump over will simply mean that when phishers jump that bar, they’ll be more successful, because more indicators will act to re-assure users. That higher bar will be operated by ‘Certification Authorities,’ (CAs), whose focus will be keeping costs down. This is not helpful to the consumer whose identity is being stolen. The value of that identity (and the credit granted) is more than any business would like to spend on a digital certificate. So we need to move security, in a usable way, to the control of the consumer who is at risk. To do that, we need better persistence of identity information.

That is, we want the bank we visit tomorrow to be the same bank we visited yesterday. More validation by the CA doesn’t achieve that. It achieves a tighter bond between the name on the certificate, and the name on the server. Frank Hecker has a long post, “CAs, certificates, and the SSL/TLS UI” in which he outlines what the extended validation system might be. He also refers to Tyler Close’s “Petname,” which I wasn’t aware of. The idea is that you nickname a site. I think that’s awesome, and a better direction than more reliance on CA processes.

Persistence of identity can be hard, because the identity of a website is often made complex. But that doesn’t mean it’s the wrong solution, only that businesses will have to put effort into helping customers make it work. The import of this effort is less open to question when your customers are threatening to go back to the more reliable brick store fronts. As Tyler Close demonstrates, its possible to build something that works in the consumer’s model of the world. “That’s right, I’ve been to this site.”

This is a user-centered, rather than a CA-centered approach. The user-centric approach means that the security target is distributed. Further, local names means that the user is drawn into making security persistence decisions. (Whether that’s a good idea is open to question.) But the user could be encouraged to name sites, and then bookmark them. (I discuss the value of bookmarks as a persistence tool in “Preserving the Internet Channel Against Phishers.”) Will this work better than the CA model? It’s hard to say without actually observing users in testing.

The “trusted certificate authority” model has had a decade or so to demonstrate its value. It’s time we tried something else.

5 comments on "Meet The New Browser Security, Same as the Old Browser Security?"

  • FYI. Tyler’s Petname toolbar is the easiest and also works on Mac. However it wasn’t the first, that title goes to Trustbar, which I first spotted in July of 2004 (see Making VeriSign like CocaCola below).
    What Tyler added was to a) name the beast as although Amir was on the right track, he hadn’t been aware of Petnames as a concept and his implementation and philsophy was muddled, b) wrote it in its minimalist form as opposed to Trustbar which is a comprehensive approach, and c) provided some competition to Amir, which they have both benefitted from exceedingly. We’ve since stressed that competition in the AntiFraudCoffeeRoom over at CAcert.
    The drum has been banging on how to do this for the longest time… It’s easy to cut Microsoft short on this because they’ve made an error in shooting for better “identity validation.” They are wrong on that but they will discover in a year or two, it’s an understandable and small error in the scope of things.
    Microsoft are to be praised to the roof on phishing. They have single handedly done what no regulator, no security person, no vendor, no browser, no phisher, no victim and no bank could do. They’ve provided us all with the greatest weapon possible against phishing: credibility. Until Microsoft 1) stated that phishing was a browser threat and 2) put a release out there with anti-phishing built in, anyone who talked about phishing was ignored by the mainstream and considered a kook. Now you get to read about it where it matters – in the blogs of the browser makers themselves who are now starting the long journey of learning about phishing.
    We have Microsoft to thank for that. (Start with Trustbar and Petname, guys!)

  • In response to the lore of petnames not being documented, Marc Stiegler wrote an Introduction to Petname Systems (click below) which we pre-reviewed in FC++ (see on the FC blog). It got a lot of commentary, and the article is looking for a place to publish.
    Petnames and Zooko’s Triangle are an up and coming security pattern and it is well worth the effort to get familiar with the concepts.

  • Frank Hecker says:

    Just for the record, I did in fact link to the “Introduction to Petname Systems” article in my post; I wanted to provide a link to describe the overall concept (in addition to linking to Tyler Close’s implementation of it); the intro article is the third link returned from a Google search for “petname”, after the extension itself.

  • Tyler Close says:

    Just for the record, I first produced, and made available for download, a petname tool for web browsing in the summer of 2003. I also wrote paper explaining the theory that summer. The paper is at . You can use the “previous” links to get back to the original paper. I also announced the work on the cryptography list in July of 2003. A very heated, but not very productive, conversation ensued.
    I can claim credit for discovering the importance of the petname concept to the phishing problem; however, credit for the underlying mechanism goes to Mark Miller and others working at Electric Communities at the time.

  • Tyler Close says:

    Hmmm… The paper link in my previous comment does not show up. You can find the paper by searching for “Trust Management for Humans“.
    [Edited by Adam: that title should now be a link.]

Comments are closed.